Serv-U FTP Server Arbitrary File/Directory Access

2000-12-05T00:00:00
ID OSVDB:464
Type osvdb
Reporter OSVDB
Modified 2000-12-05T00:00:00

Description

Vulnerability Description

Serv-U FTP Server contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "cd" command.

Solution Description

Upgrade to version 2.5i or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Serv-U FTP Server contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "cd" command.

Manual Testing Notes

ftp [victim] ftp> cd /..%20.

References:

Vendor URL: http://www.serv-u.com/ Snort Signature ID: 360 Nessus Plugin ID:10565 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-12/0043.html Keyword: Directory Traversal ISS X-Force ID: 5639 CVE-2001-0054 Bugtraq ID: 2052